Jan 21

Reflex vTrust was awarded SearchServerVirtualization’s Silver Award for Virtualization Security Product of the Year for 2009. According to the TechTarget write up:ProductOfYear_Silver_2009

“Reflex’s vTrust technology provides a robust network security solution for virtual environments. It is the company’s next-generation security product that takes advantage of VMware Inc.’s VMsafe application programming interfaces (API) to provide simpler and better integration with vSphere. VTrust’s compelling user interface provides an easy-to0use and effective means of displaying the data collected from security tools. And vTrust does more than define firewall policies; it integrates with the operational aspect of virtual environment.”

Reflex vTrust Security

Reflex vTrust Security

written by Laura Armistead \\ tags: , , ,

Sep 22


What would a deployment of over 6 million virtual machines look like? The picture to the right is 10,000 nodes so multiply that by 600. Today we announced that Savvis (NASDAQ:SVVS) has selected Reflex to provide virtual security infrastructure for their new Project Spirit offering. The Reflex vTrust software will be deployed in tandem in the Savvis cloud with the Cisco Nexus 1000V creating a highly scalable cloud infrastructure. Savvis has over 1.4 million square feet of raised floor so if you did some back of the envelope extrapolation, made some assumptions on hardware, and considered every square foot could be used for virtualization hosting, which would never happen but is kind of fun to think about, Savvis could theoretically run over 6 million virtual machines across their existing 28 data centers. Managing the security in that large of an environment presents some pretty tough challenges.

savvis As Phil Koen, CEO of Savvis, has stated, “Without a doubt, security is a single largest customer concern around Cloud.” In addition John Chambers has stated that cloud computing “is a security nightmare and it can’t be handled in traditional ways.” John is right; solving the cloud security problem has been quite challenging. We definitely did not take a traditional approach and instead came up with a very dynamic policy model that can scale to large environments. The Savvis selection of Reflex is a testament to the intellectual property that has been built into the Reflex VMC solution using the vTrust technology and made possible by the new VMsafe technology built into vSphere by VMware.

One of the exciting new possibilities about Savvis and other service providers running the Reflex VMC solution internally is the ability to dynamically move virtual machines between the environments. With the addition of the new VMware vCloud API, VMware has opened up a great foundation for moving virtual machines between your enterprise and the cloud. What Reflex is adding to the vCloud initiative is automating the transfer of sophisticated internal security policy to/from the cloud. Automated security policy transfer means that no matter where virtual machines may live as a part of an application, the security policy of the virtual machines travels with them. This type of policy movement does not make any assumptions about the applications themselves but instead assumes a raw IaaS type of service offering.

To hear more about how VMware, Reflex, and Savvis are working together to advance the state of cloud computing, feel free to register for our joint webinar on October 6th: https://www2.gotomeeting.com/register/679833250

Aaron Bawcom is the Chief Technology Officer for Reflex Systems, a provider of end-to-end virtualization management solutions based out of Atlanta, GA. Contact him at abawcom@reflexsystems.com.

written by Aaron Bawcom \\ tags: , , , , ,

Aug 26

After a grueling three months of intense testing since the release of vSphere 4.0, Reflex has officially passed the VMsafe technical certification tests. We have received a cryptographically signed version of our VMsafe module from VMware which signifies that we have passed the rigorous tests created by VMware to operate within the hypervisor kernel itself. At the time of writing, Reflex is the only VMsafe certified solution on the market. The certification further illustrates Reflex Systems’ leadership and our continuing effort to streamline the operation of data centers. The press announcement for the certification can be found here. If you would like to try out our solution within your IT environment you can download the product from the Reflex website.

written by Aaron Bawcom \\ tags:

Aug 17

Smooth Move
Cloud computing offers lots of opportunities for small startups, medium sized businesses, and large enterprise organizations to operate their IT organization more efficiently. In fact there has been a lot of discussion around VMware’s recent acquisition announcement of SpringSource. This is a great move by VMware and could enrich their upcoming vCloud offering, give them a product offering for PaaS that can integrate tightly into their existing IaaS product offering, and in general give them deeper insight into applications as well as getting into the minds of developers. I’m not going to go into the benefits of cloud computing (cost, flexibility) but instead spend some time on some new capabilities of an Infrastructure as as Service (IaaS) cloud offering.

Your turn. PaaS
One of the challenges with PaaS is that if you have an existing application that is not currently compatible with the platform, it may be difficult or even impossible to reap the benefits of cloud computing. Even though the cloud may offer huge advantages, you have to figure out how to get your app in the cloud. At minimum, this may require a slight refactoring of the application or potentially re-writing the majority of the application. Worse yet, what happens if you need to move the application from an external cloud back into your local cloud or even a different external cloud? The application’s compatibility with the cloud is extremely dependent on the platform support by the cloud and thus might make its mobility less viable. PaaS offerings are rich with many integrated features that much of the industry is moving towards but they do suffer from problems surrounding compatibility.

Where did I put those keys again?
IaaS however can be completely generic, offering application mobility with little to no application changes. The problem is that there is currently a lack of rich capabilities for IaaS offerings in the marketplace. There is a lack of broad infrastructure services that offer enterprise class services compared to entire platforms that offer several large buckets of services. As pointed out by Cisco CEO John Chambers one of the most difficult cloud computing problems is around securing the cloud.

vTrust Insidetm
One of the new technologies from VMware to help address this problem is called VMsafe. VMsafe is an infrastructure technology that allows security services built directly into the cloud infrastructure itself. Reflex has spent the last year building a new technology called vTrust that provides this infrastructure level security service within the cloud plumbing. This means that if you are running an Enterprise VMware cloud the Reflex vTrust technology could connect your internal private cloud to an external VMware based cloud and secure your virtual machines the same way no matter where they were running. In fact, you could run some portions of an application in an external cloud and other parts of the application internally based on a single application security policy.

Not your daddy’s cloud
At this point you might be wondering “How is this different from running a firewall in the cloud?”. The difference is in the policy management mechanism. The Reflex vTrust technology allows you to set the policy for your applications once within your Enterprise cloud and no matter where your virtual machines move, the security policy automatically moves with the virtual machine. There is no need to manually set the firewall policy in the cloud once the VM moves to the cloud, that is the advantage of the cloud plumbing handling the security infrastructure.

Your own little slice of cloud
Once you have more flexibility in deciding where your IT assets are running, your IT organization as well as your business can operate with more agility. You have the options to:

  • Move an existing application to the cloud
  • Burst the number of virtual machines dedicated to an application into the cloud
  • Adjust application resources seasonally
  • Make applications more accessible to worldwide teams
  • Deploy portions of an application to a cloud

All of these capabilities would be possible without the requirement to restructure your application code.

written by Aaron Bawcom \\ tags: , ,

Jul 23


“I’ve been working on the railroad…”
One of the most useful features of virtualization is the concept of workload balancing. Workload balancing can turn a server farm into a sweaty toothed engine of computation power. As a virtualization administrator, the constant challenge is squeezing as much performance out of your virtual infrastructure as possible. The more physical hosts you can have in a cluster, the better operational efficiency you will get across your virtual infrastructure. So how can VMsafe, a security thing, possibly help with this?

There’s no place like home
One of the key requirements for workload balancing is that all of the virtual machines that operate within a shared cluster must have network connectivity. Which makes sense; the virtual infrastructure has to know that if it moves a virtual machine to a new host that it will still have the same network connectivity that it had before and the applications on the virtual machine will continue to operate normally.

Off the grass!
Since the virtual infrastructure requires network connectivity for virtual machines in a cluster, application owners end up wanting some segmentation between their applications and other applications. Some administrators may use VLANs to solve that problem but this can be problematic and somewhat cumbersome. There are several ways to deal with this problem but what happens more often than not is that separate clusters are created for different departments or applications.

So let’s say you had 30 ESX hosts and you segment 10 different applications that are hosted by the virtual infrastructure into different clusters which means you would be running 10 clusters with an average of 3 hosts per cluster. vSphere 4.0 allows you to run up to 32 hosts in a single cluster so you would not be getting the greatest operational efficiency you could squeeze out of your environment.

A brave new world
Using the new Reflex vTrust technology, you can easily segment different applications without the use of VLANs so that they all exist on the same network meeting the requirements for large-scale workload balancing and still provide application owners isolation between their applications. You could merge those existing 10 clusters into a single super cluster achieving higher service levels and ultimately requiring less hardware to operate an efficient virtual environment.


written by Aaron Bawcom \\ tags: , , , ,

Jul 07


We are in the home stretch on our next release here at Reflex. I already showed a view of the vmSafe based network policy editor and now I’m going to reveal some more of our vTrust dynamic policy capabilities. The window at the right is an editor for a simple alerting rule.

Using Reflex’s domain specific query language, VQL, a condition is set that looks for a disconnected host event. When that event is detected, a python script is run that adds a new alert into the Reflex management system and sends an email to the administrator

We are combining Reflex’s ability to track events, configuration changes, security alerts, and other information to write comprehensive policy with automated enforcement. The use of the VMware python API, and soon Power Shell, translates to limitless possibilities for policy enforcement in virtual environments.

Want to see more? Sign up for our beta and try it out against existing VI3 environments or use this and the vmSafe component with vSphere.

First Reflex lets you see your virtual environment, now you can take control of it.

Mike Wronski, VP of Product Management
Twitter: @Reflex_Mike

written by Mike Wronski \\ tags: , ,

May 29

There has been a lot of discussion in the virtualization community about using virtualized DMZ’s. This is a great idea since you get all of the cost advantages of virtualization for systems in the protected DMZ. VMware has a great Best Practices paper that was written before the introduction of vSphere on this topic. Now that the VMsafe API’s have been released as a part of vSphere, the ability to move beyond best practices and significantly simplify the process of moving assets in and out of a DMZ area have become amazingly simple. Using our new vTrust technology within the VMC product, Reflex has used the concept of tags to ease the management of systems. Making tags a first class concept (vmTagging) in the management of an infrastructure can act as a demarcation point between virtualization administrators and security administrators as shown below.

Let’s say you are a virtualization administrator and you’ve gotten a request to put a system in the DMZ. You would simply right click on the virtual machine and choose the “DMZ” tag that was created by the security team. It doesn’t matter where the VM is located, what portgroup it is connected to, or what its IP addresses are, the security policy for the VM will be set correctly based on your change.

captured_Image.png[11] captured_Image.png[13]

written by Aaron Bawcom \\ tags: , ,

May 20

I am in sunny Las Vegas this week at Interop and overall the show has been positive.  I am surprised but very pleased by the attention and focus around virtualization this year.  I just participated in a panel discussion about virtualization security that went very well. Anne Skamarock of Focus Consulting did a great job moderating the panel and asking excellent questions that will certainly help end users get a better grasp of virtualization security. In addition to me, the other speakers that participated in the panel were Charu Chaubal, Senior Architect, Technical Marketing at VMWare, Chris Orr, Sr. Systems Engineer/Business Development at Tripwire, Michael Berman, CTO of Catbird. All panelists brought different perspectives to various aspects of virtualization security and compliance.


The discussion focused around the following topics: the security level of the virtual infrastructure versus the physical infrastructure, Hypervisor security threats, audit and compliance in the virtual environment, and VMware’s new vSphere 4 VMsafe solution.


Charu Chaubal did a great job explaining VMware’s VMsafe technology. VMware VMsafe is a new security technology for virtualized environments that can help to protect your virtual infrastructure in ways previously not possible with physical machines. VMsafe provides a unique capability for virtualized environments through an application program interface (API)-sharing program that enables select partners to develop security products for VMware environments.


Reflex’s new release of the Virtualization Management Center uses the VMsafe API to control and enforce policies in the virtual environment.  The VMsafe APIs enable Reflex’s new vTrust technology providing customers the ability to enforce strong security, tighter policy and control, better isolation and segmentation, enhanced scalability and more efficient management.  I am very pleased with the VMsafe technology and the way that it enables partners like Reflex Systems to deliver state of the art policy management and enforcement capabilities for virtual environments.


The following are some of the questions that were discussed on the panel:

1.    With the changes to the infrastructure to add the virtualization layer and pull some of the functionality into the physical server, is a virtual machine more or less secure than a physical machine?

2.    What are the major threats to security when moving from “P to V” and how can you protect yourself against those threats?

3.    Companies have been doing physical audits of their infrastructure for years. Do physical security audits and virtual security audits interrelate? If so, how? If not, why not?

4.    Can I create my DMZ in one or more virtual machines? If so, what is the best practice for securing my virtual DMZ?

5.    Charu, would you please explain the VMsafe initiative? And would each of you discuss how VMsafe affects your solutions?

6.    Are there any cross industry standards that talk about virtual security best practices not only for VMware but also for Hyper-V and XenServer?

7.    What about Regulatory Compliance? With virtual machines, there is no longer strict physical separation of applications and data. In fact, data for different applications often travel through the same I/O card. Can you run healthcare applications on virtual machines and still meet HIPAA regulations? What do you need to be aware of when mixing virtualization and compliance?




Hezi Moore, Reflex Systems


written by Aaron Bawcom \\ tags: , , , ,

Apr 23

Today Reflex Systems released vTrust, the culmination of the last year of development. The new VMsafe enabled Reflex VMC product will for the first time allow organizations to improve the security of their organization at a lower cost by using virtualization. We’ve put a lot of work making it possible to map your business processes directly to your security policy in such a way that as your business changes your security enforcement changes with it without having to go in and change the big bag of snakes that represent low level security rules.

Using the new features of VMware’s vSphere 4, you can now have a giant group of computing clusters, put almost everything on one giant flat network, and provide a significantly more granular security policy than you can today. Applications can be broken into complex tiers to provide the greatest possible protection from threats. If you wanted to work with an external cloud provider to dynamically host portions of your infrastructure based on demand, the vTrust feature set will dynamically follow the virtual machine no matter where it lives. If you wanted to specify policy on incredibly high level criteria such as “Don’t allow any system to connect to the line of business Application Bar that had OS Application Faz installed within the last 30 days AND that was created by user Bob AND is running any variant of Operating System Foo”.

The Reflex vTrust functionality allows you to easily blanket your entire virtualized environment with high level rules and whenever anything changes in the environment that violates these rules, the dynamic policy enforcement engine computes new low level rules and enforces them.

Welcome to the world of Virtualization. More details on the way…

written by Aaron Bawcom \\ tags: ,

Apr 22


Reflex has been working hard on our next release to coincide with the general availability of VMware vSphere and the VMsafe initiative. We think it will be game changing for policy and security management in virtual environments, going well beyond a simple security zone.

In the mean time, here is a peek at our new policy interface. Look for an announcement with more details soon.

written by Mike Wronski \\ tags: , , ,